Issues

ZF-12165: Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905

Issue Type: Bug Created: 2012-04-20T15:11:41.000+0000 Last Updated: 2012-07-24T07:55:46.000+0000 Status: Resolved Fix version(s): Reporter: John Brown (johniskew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View

Related issues: Attachments:

Description

If a user submits an array instead of an expected string for "non-array" form fields, this warning is generated.

Simple test:

$form->setMethod('get'); $q = new Zend_Form_Element_Text('q'); $form->addElement($q);

Submit the form. Edit the address bar to be 'q[]=' instead of 'q=' and the Zend View will emit the warning.

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2012-04-20T16:21:47.000+0000

I'd argue this is expected and reasonable behavior. The error occurs when you try and pass an invalid value to be rendered; as such, you should correct your form.

Posted by John Brown (johniskew) on 2012-04-20T17:24:17.000+0000

I think you're looking at it from a different view than I am. In the example the form element does expect a string, and the developer should only expecting a string. However a "malicious" user can quite simply edit the URL to include the [].

http://host/form.php?q=hello vs http://host/form.php?q[]=hello.

Then that breaks the underlying Zend escaping mechanism. This shouldnt require developer intervention to fix that. We can do all the filtering/validation on the zend form end, but once the variable gets to the zend view end it will break.

Posted by Vatturi Srinivas (srinivas) on 2012-07-24T05:35:53.000+0000

Warning: htmlspecialchars() expects parameter 1 to be string, array given in \Zend\View\Abstract.php on line 905 is getting when I am not navigating to another page.(I am dispalying that form at html page).

Code: $this->setMethod('post'); $this->setAction('/index/save'); $first=new Zend_Form_Element_Text("first"); $first->setLabel("First Name"); $first->setAttrib('id','first'); $first->setAttrib('name','first'); $first->setAttrib('class','required'); $last=new Zend_Form_Element_Text("last"); $last->setAttrib('id','last'); $last->setLabel("Last Name"); $last->setAttrib('class','required'); $email=new Zend_Form_Element_Text("email"); $email->setAttrib('id','email'); $email->setAttrib('name','email'); $email->setLabel('UserId : '); $password = new Zend_Form_Element_Password("password"); $password ->setLabel('Password:'); $password ->setAttribs(array('id'=>'password', 'name'=>'password'));

    $submit=new Zend_Form_Element_Submit('submit');
    $submit->setAttrib('name','register');
    $submit->setAttrib('id','register');
    $submit->setValue('Submit');
    $this->addElements(array($email,$password,$first,$last,$submit));

In the above code, I am getting that warning only for the text element 'email'.

Posted by Frank Brückner (frosch) on 2012-07-24T07:55:46.000+0000

@Vatturi

I can not reproduce your problem. I have tested your form in a standard application environment and as a stand alone form. Please test the form outside your application.

You do not need setMethod('post'), setAttrib('id', …) or setAttrib('name', …):

<pre class="highlight">
$this->setAction('/index/save');

$first = new Zend_Form_Element_Text('first');
$first->setLabel('First Name');
$first->setAttrib('class', 'required');

$last = new Zend_Form_Element_Text('last');
$last->setLabel('Last Name');
$last->setAttrib('class', 'required');

$email = new Zend_Form_Element_Text('email');
$email->setLabel('UserId : ');

$password = new Zend_Form_Element_Password('password');
$password->setLabel('Password:');

$submit = new Zend_Form_Element_Submit('submit');
$submit->setLabel('Submit');

$this->addElements(array($email, $password, $first, $last, $submit));

You will get the same HTML output.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts